W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1996

Re: YA cookie draft, v2.21

From: Koen Holtman <koen@win.tue.nl>
Date: Tue, 23 Apr 1996 21:21:26 +0200 (MET DST)
Message-Id: <199604231921.VAA02864@wsooti06.win.tue.nl>
To: Dave Kristol <dmk@allegra.att.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com 
Dave Kristol:
>
>The latest draft of the cookie spec. is at
>	http://www.research.att.com/~dmk/cookie.html

Only two comments:


#4.3.5  Sending Cookies in Unverifiable Transactions  Users must have      |
#control over sessions in order to insure privacy.
                                   ^^^^^^

Shouldn't this be `assure'?


#8.2  Cookie Spoofing
#
[...]
#Note that a server at cracker.edu could send a cookie to the client and   |
#subsequently get both of the cookies in the preceding example as well as  |
#its own.

I was confused by this, and after re-reading it twice, I think this is
wrong.  I believe this should be:

 Note that a server called cracker.edu could send a cookie to the
 client without an explicit domain, and subsequently get the second
 cookie in the preceding example as well as its own.


Koen.
Received on Tuesday, 23 April 1996 12:24:57 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:51 EDT